内存相关

!address命令：显示内存信范围和权限的命令，命令在用户态下也可以使用。如果不带参数，可以显示内存所有信息。

kd> !address
  804d8000 - 001f9000                           
          Usage       KernelSpaceUsageImage
          ImageName   ntkrnlpa.exe
  806d1000 - 00021000
          Usage       KernelSpaceUsageImage
          ImageName   halaacpi.dll
  80e86000 - 01501000
          Usage       KernelSpaceUsagePFNDatabase
  82387000 - 08000000
          Usage       KernelSpaceUsageNonPagedPool

kd> x win32k!NtUserCreateWindowEx
bf834964 win32k!NtUserCreateWindowEx = <no type information>
kd> !address bf834964
  bf800000 - 001c3000                           
          Usage       KernelSpaceUsageImage
          ImageName   \SystemRoot\System32\win32k.sys

!vm:显示虚拟内存信息：主要有物理大小，分页文件大小，分页内存大小等信息，用来检查内存使用情况，在进程虚拟内存中，每个进程按照从高到底的顺序排序，很容易看出大内存占用的进程。最后一部分是会话内存空间信息(关系到创建会话，窗口，钩子等)。

kd> !vm 4
*** Virtual Memory Usage ***
	Physical Memory:      786300 (   3145200 Kb)
	Page File: \??\C:\pagefile.sys
	  Current:   2095104 Kb  Free Space:   2080612 Kb
	  Minimum:   2095104 Kb  Maximum:      4190208 Kb
	Available Pages:      692972 (   2771888 Kb)
	ResAvail Pages:       707973 (   2831892 Kb)
	Locked IO Pages:        1264 (      5056 Kb)
	Free System PTEs:     161011 (    644044 Kb)
	Free NP PTEs:          32766 (    131064 Kb)
	Free Special NP:           0 (         0 Kb)
	Modified Pages:          721 (      2884 Kb)
	Modified PF Pages:       721 (      2884 Kb)
	NonPagedPool Usage:     2381 (      9524 Kb)
	NonPagedPool Max:      65536 (    262144 Kb)
	PagedPool 0 Usage:      5494 (     21976 Kb)
	PagedPool 1 Usage:       727 (      2908 Kb)
	PagedPool 2 Usage:       714 (      2856 Kb)
	PagedPool Usage:        6935 (     27740 Kb)
	PagedPool Maximum:     92160 (    368640 Kb)
	Shared Commit:         10924 (     43696 Kb)
	Special Pool:              0 (         0 Kb)
	Shared Process:         2241 (      8964 Kb)
	PagedPool Commit:       6935 (     27740 Kb)
	Driver Commit:          1196 (      4784 Kb)
	Committed pages:       57554 (    230216 Kb)
	Commit limit:        1269081 (   5076324 Kb)
	Total Private:         35500 (    142000 Kb)
         0454 vmtoolsd.exe      4926 (     19704 Kb)
         0538 explorer.exe      4466 (     17864 Kb)
         05dc SGTool.exe        3414 (     13656 Kb)
         03b8 svchost.exe       3072 (     12288 Kb)
         0270 winlogon.exe      2973 (     11892 Kb)
         06c0 vmtoolsd.exe      2886 (     11544 Kb)
         04d4 rundll32.exe      1724 (      6896 Kb)
         0470 wuauclt.exe       1644 (      6576 Kb)
         065c VGAuthService.e   1591 (      6364 Kb)
         05e4 ctfmon.exe        1372 (      5488 Kb)
         05ac spoolsv.exe       1102 (      4408 Kb)
         02a8 lsass.exe         1003 (      4012 Kb)
         077c wmiprvse.exe       985 (      3940 Kb)
         034c svchost.exe        777 (      3108 Kb)
         0608 svchost.exe        559 (      2236 Kb)
         0394 svchost.exe        455 (      1820 Kb)
         0258 csrss.exe          452 (      1808 Kb)
         029c services.exe       424 (      1696 Kb)
         01e8 SohuNews.exe       406 (      1624 Kb)
         0428 svchost.exe        390 (      1560 Kb)
         03f0 svchost.exe        343 (      1372 Kb)
         00b0 alg.exe            314 (      1256 Kb)
         0340 vmacthlp.exe       173 (       692 Kb)
         0228 smss.exe            42 (       168 Kb)
         0004 System               7 (        28 Kb)
	Terminal Server Memory Usage By Session:    //会话
	Session Paged Pool Maximum is 4096K
	Session View Space Maximum is 49152K
               
	Session ID 0 @ badca000:
	Paged Pool Usage:           0K
	Commit Usage:            2108K

对象相关

!handle：查看句柄信息，包括句柄类型，引用计数，句柄名，0参数等同与默认参数，表示所有句柄！

!handle [0]:

kd> !handle
processor number 0, process 805539a0
PROCESS 805539a0  SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
    DirBase: 00331000  ObjectTable: e1001c88  HandleCount: 250.
    Image: Idle
Handle table at e16fd000 with 250 Entries in use
0004: Object: 8a32c830  GrantedAccess: 001f0fff Entry: e1002008
Object: 8a32c830  Type: (8a32ce70) Process
    ObjectHeader: 8a32c818 (old version)
        HandleCount: 2  PointerCount: 60
0008: Object: 8a32b020  GrantedAccess: 00000000 Entry: e1002010
Object: 8a32b020  Type: (8a32cca0) Thread
    ObjectHeader: 8a32b008 (old version)
        HandleCount: 1  PointerCount: 1

!handle xxxxxxx：查看指定进程的句柄信息。

kd> !prcess 0 0
No export prcess found
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 8a32c830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00331000  ObjectTable: e1001c88  HandleCount: 250.
    Image: System
kd> !handle 8a32c830
processor number 0, process 805539a0
PROCESS 805539a0  SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
    DirBase: 00331000  ObjectTable: e1001c88  HandleCount: 250.
    Image: Idle
Kernel Handle table at e16fd000 with 250 Entries in use
8a32c830: free handle, Entry address 8a297a88, Next Entry 00000000

!handle [xxx]:显示指定的句柄信息

kd> !handle 0550
processor number 0, process 89f0ada0
PROCESS 89f0ada0  SessionId: 0  Cid: 0190    Peb: 7ffd5000  ParentCid: 0550
    DirBase: 13680340  ObjectTable: e27288a0  HandleCount: 336.
    Image: SogouCloud.exe
Handle table at e11d1000 with 336 Entries in use
0550: Object: 8a14a030  GrantedAccess: 001f0001 (Inherit) Entry: e11d1aa0
Object: 8a14a030  Type: (8a3295e0) Mutant
    ObjectHeader: 8a14a018 (old version)
        HandleCount: 1  PointerCount: 2
        Directory Object: e155ad10  Name: mutex_file_0x006E005D

!handle [xxxx] 3 [yyy]:显示指定的进程的指定句柄

kd> !handle 0550
processor number 0, process 89f0ada0
PROCESS 89f0ada0  SessionId: 0  Cid: 0190    Peb: 7ffd5000  ParentCid: 0550
    DirBase: 13680340  ObjectTable: e27288a0  HandleCount: 336.
    Image: SogouCloud.exe
Handle table at e11d1000 with 336 Entries in use
0550: Object: 8a14a030  GrantedAccess: 001f0001 (Inherit) Entry: e11d1aa0
Object: 8a14a030  Type: (8a3295e0) Mutant
    ObjectHeader: 8a14a018 (old version)
        HandleCount: 1  PointerCount: 2
        Directory Object: e155ad10  Name: mutex_file_0x006E005D

!object：查看对象

!object xxxxxx：[表示对象的地址]

0550: Object: 8a14a030  GrantedAccess: 001f0001 (Inherit) Entry: e11d1aa0
Object: 8a14a030  Type: (8a3295e0) Mutant
    ObjectHeader: 8a14a018 (old version)
        HandleCount: 1  PointerCount: 2
        Directory Object: e155ad10  Name: mutex_file_0x006E005D
kd> !object 8a14a030
Object: 8a14a030  Type: (8a3295e0) Mutant
    ObjectHeader: 8a14a018 (old version)
    HandleCount: 1  PointerCount: 2
    Directory Object: e155ad10  Name: mutex_file_0x006E005D

驱动相关

!drvobj：显示驱动信息，主要显示DRIVER_OBJECT结构信息

!drvobj xxxxx yy:xxxx表示的是设备驱动地址或者名称，yy表示掩码，一般为7，不加掩码，则显示粗略信息。

kd> !object \Driver         //显示\Driver下的对象信息
Object: e101c918  Type: (8a3603b0) Directory
    ObjectHeader: e101c900 (old version)
    HandleCount: 0  PointerCount: 81
    Directory Object: e1000160  Name: Driver
    Hash Address  Type          Name
    ---- -------  ----          ----
     00  89e9a438 Driver        Beep
         8a3592d0 Driver        NDIS
         8a2a7f38 Driver        KSecDD
     01  89dcad38 Driver        Mouclass
         8a1997f0 Driver        FsVga
         8a1eb6d8 Driver        Raspti
         8a13ee40 Driver        es1371
     02  8a13f778 Driver        vmx_svga
     03  8a050ce8 Driver        Fips
         8a173bf8 Driver        Kbdclass
     04  8a05c030 Driver        VgaSave
         8a1dadd8 Driver        NDProxy
         89e00f38 Driver        Compbatt
     05  8a1ebe08 Driver        Ptilink
         89e196e8 Driver        MountMgr
         8a105ac0 Driver        wdmaud
     07  8a2a92d8 Driver        dmload
         8a2ad1c8 Driver        isapnp
     08  89df5030 Driver        redbook
         89dcaf38 Driver        vmmouse
         8a297f38 Driver        atapi
     09  8a234a08 Driver        vmscsi
     10  89a099c8 Driver        RasAcd
         8a13e958 Driver        PSched
         8a30e980 Driver        dmio
         8a050950 Driver        IpNat
     11  899b7e30 Driver        mouhid
         89e881b8 Driver        audstub
         8a13f2a0 Driver        usbuhci
         8a151da0 Driver        Win32k
     12  89aafda0 Driver        usbhub
         89e7de80 Driver        swenum
         8a167370 Driver        rdpdr
     13  89fd5258 Driver        usbccgp
         89e1ddb0 Driver        mchInjDrv
         89ed6548 Driver        RDPCDD
         89e7d9c8 Driver        Update
         89df51b8 Driver        RasPppoe
         8a1cb3b8 Driver        HTTP
     14  8a11de30 Driver        TermDD
         8a2a8160 Driver        Ftdisk
         8a1c97b8 Driver        sysaudio
     15  8a173e18 Driver        Rasl2tp
     16  8a24a480 Driver        vsock
     17  8a30d1a0 Driver        vmci
     18  8a19a338 Driver        PptpMiniport
         8a19acd8 Driver        vmxnet
         8a3132f0 Driver        WMIxWDM
         8a313878 Driver        ACPI_HAL
     19  89ac8458 Driver        vmusbmouse
     21  89e1dca8 Driver        NetBT
         8a3126d0 Driver        agp440
     22  8a262d18 Driver        Cdrom
         89e7e858 Driver        mssmbios
     24  8a10da70 Driver        Wanarp
         89a07808 Driver        Tcpip
         89e20338 Driver        mnmdd
         89ea68d8 Driver        gameenum
     25  8a24a790 Driver        VolSnap
     26  8a199ec8 Driver        intelppm
     27  89dca318 Driver        Imapi
     28  8a050be0 Driver        WS2IFSL
         89e21358 Driver        Null
         8a13e7a0 Driver        usbehci
         89ed2c08 Driver        VMMEMCTL
     29  89a09438 Driver        IPSec
         8a147938 Driver        Disk
         8a2b1218 Driver        PCI
     30  89dca508 Driver        NdisTapi
         8a262f38 Driver        NdisWan
         8a30d298 Driver        PartMgr
     31  8a13e550 Driver        Gpc
     32  8a30f030 Driver        ACPI
     33  8a35e2f8 Driver        PnpManager
     34  8a0507f8 Driver        AFD
         8a106b10 Driver        Ndisuio
     35  899dc498 Driver        hidusb
     36  8a173f10 Driver        i8042prt
         8a13e448 Driver        CmBatt
         8a313780 Driver        IntelIde
kd> !drvobj 8a313780 7               //显示InterIde的驱动信息
Driver object (8a313780) is for:
 \Driver\IntelIde
Driver Extension List: (id , addr)
(bab2c410 8a30f7c8)  
Device Object list:
8a1a2570  8a1a2740  8a30e030  
DriverEntry:   badacf05	intelide!GsDriverEntry
DriverStartIo: 00000000	
DriverUnload:  bab2c6dc	PCIIDEX!PciIdeUnload
AddDevice:     bab2a7d2	PCIIDEX!ControllerAddDevice
Dispatch routines:
[00] IRP_MJ_CREATE                      804f454a	nt!IopInvalidDeviceRequest
[01] IRP_MJ_CREATE_NAMED_PIPE           804f454a	nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       804f454a	nt!IopInvalidDeviceRequest
[03] IRP_MJ_READ                        804f454a	nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       804f454a	nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           804f454a	nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             804f454a	nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    804f454a	nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA                      804f454a	nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS               804f454a	nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    804f454a	nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION      804f454a	nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL           804f454a	nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         804f454a	nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL              804f454a	nt!IopInvalidDeviceRequest
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     bab2c4f2	PCIIDEX!PciIdeInternalDeviceIoControl
[10] IRP_MJ_SHUTDOWN                    804f454a	nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL                804f454a	nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP                     804f454a	nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT             804f454a	nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              804f454a	nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY                804f454a	nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER                       bab28692	PCIIDEX!DispatchPower
[17] IRP_MJ_SYSTEM_CONTROL              bab2c46e	PCIIDEX!DispatchWmi
[18] IRP_MJ_DEVICE_CHANGE               804f454a	nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 804f454a	nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA                   804f454a	nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP                         bab2c43a	PCIIDEX!DispatchPnp
kd> !drvobj IntelIde 7              //显示InterIde的驱动信息   
Driver object (8a313780) is for:
 \Driver\IntelIde
Driver Extension List: (id , addr)
(bab2c410 8a30f7c8)  
Device Object list:
8a1a2570  8a1a2740  8a30e030  
DriverEntry:   badacf05	intelide!GsDriverEntry
DriverStartIo: 00000000	
DriverUnload:  bab2c6dc	PCIIDEX!PciIdeUnload
AddDevice:     bab2a7d2	PCIIDEX!ControllerAddDevice
Dispatch routines:
[00] IRP_MJ_CREATE                      804f454a	nt!IopInvalidDeviceRequest
[01] IRP_MJ_CREATE_NAMED_PIPE           804f454a	nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       804f454a	nt!IopInvalidDeviceRequest
[03] IRP_MJ_READ                        804f454a	nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       804f454a	nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           804f454a	nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             804f454a	nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    804f454a	nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA                      804f454a	nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS               804f454a	nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    804f454a	nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION      804f454a	nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL           804f454a	nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         804f454a	nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL              804f454a	nt!IopInvalidDeviceRequest
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     bab2c4f2	PCIIDEX!PciIdeInternalDeviceIoControl
[10] IRP_MJ_SHUTDOWN                    804f454a	nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL                804f454a	nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP                     804f454a	nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT             804f454a	nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              804f454a	nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY                804f454a	nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER                       bab28692	PCIIDEX!DispatchPower
[17] IRP_MJ_SYSTEM_CONTROL              bab2c46e	PCIIDEX!DispatchWmi
[18] IRP_MJ_DEVICE_CHANGE               804f454a	nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 804f454a	nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA                   804f454a	nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP                         bab2c43a	PCIIDEX!DispatchPnp

!devobj：显示驱动设备信息。主要显示DEVICE_OBJECT结构

!devobj xxxx:xxxx为驱动地址或者名称

kd> !drvobj Beep                 //得到beep设备驱动的DEVICE_OBJECT的地址
Driver object (89e9a438) is for:
 \Driver\Beep
Driver Extension List: (id , addr)
Device Object list:
89e9a2c8  
kd> !devobj 89e9a2c8            //查看Beep驱动的DEVICE_OBJECT的信息
Device object (89e9a2c8) is for:
 Beep \Driver\Beep DriverObject 89e9a438
Current Irp 00000000 RefCount 0 Type 00000001 Flags 00000044
Dacl e13bd73c DevExt 89e9a380 DevObjExt 89e9a3d8 
ExtensionFlags (0000000000)  
Device queue is not busy.

蓝屏分析

!analyze -v：显示蓝屏相关信息，如蓝屏原因，系统上下文等